The Mystery of the Duqu Framework

Update 2012-03-25:
It turns out, it’s just some object oriented C:
Kaspersky Lab experts now say with a high degree of certainty that the Duqu framework was written using a custom object-oriented extension to C, generally called “OO C” and compiled with Microsoft Visual Studio Compiler 2008 (MSVC 2008) with special options for optimizing code size and inline expansion.
Source


If you missed it in the news, you should definitely read this: The Mystery of the Duqu Framework.

I’ve a little culture around languages and frameworks, mostly because I’ve worked with C, C++, Objective-C, C# .Net, java, javascript and PHP, but I’ve also read some things or even done few tests on languages like python, scala, erlang, caml, F#, VB or d language. It has always been a great pleasure to discover these new languages because it shows how some human beings decided to create a new way of organizing intelligence. What usually happens around these new languages (and frameworks), is that we speak about them and they get adopted by developers or nothing is done with them. But we usually speak, at least in the beginning, a lot more about the language than the projects done with it.

Here, security companies first discovered a virus (yet an other one) and then discovered it was embedding it’s own framework (and we can pretty much guess there’s a dedicated language for that one). This story uncovers a real mistery with its set of questions: why did some people decided to create a new framework? Why was it only used (or seen) in a virus? How could it be especially applicable to a virus? Why did they decided to use everything internally and not use standard C/C++ compilers?

They are few things that are very interesting in this framework: It’s a low-level framework (no standard library), but it’s totally eventful. This is quite innovative. It terms in modern sales-speech it means: very light and very scalable. “Function table is placed directly into the class instance and can be modified after construction”: You can change the behavior of any method of your object at any time. It’s quite a good idea (can easily be done in javascript thought but that’s because javascript is super-permissive).

The conclusions of this article are:

  • The Duqu Framework appears to have been written in an unknown programming language.
  • Unlike the rest of the Duqu body, it’s not C++ and it’s not compiled with Microsoft’s Visual C++ 2008.
  • The highly event driven architecture points to code which was designed to be used in pretty much any kind of conditions, including asynchronous commutations.
  • Given the size of the Duqu project, it is possible that another team was responsible for the framework than the team which created the drivers and wrote the system infection and exploits.
  • The mysterious programming language is definitively NOT C++, Objective C, Java, Python, Ada, Lua and many other languages we have checked.
  • Compared to Stuxnet (entirely written in MSVC++), this is one of the defining particularities of the Duqu framework.

Who could have done this framework? Well…
– Stuxnet, the last virus that mostly attacked Iran, was at least backed (maybe created) by the USA
– This one required the workforce of a pretty big organization (a lot of smart people put together to do evil things)
I hope we’ll discover who is behind this this someday.

Source: The Mystery of the Duqu Framework

Leave a Reply

Your email address will not be published. Required fields are marked *